Am I Secure?

Viewing 25 reply threads
  • Author
    Posts
    • #3294
      KrisTeason
      Participant

      Hey folks,

      I was wondering if I had done the basics to secure my Access Point, how secure am I truly? What I’ve done so far is implemented WPA2, enabled MAC Address filtering, have hidden my SSID, disabled uPnP…is this really enough? Do you guys suggest changing my PSK every week or so, if not how often? Are there any type of tools out there that can identify my SSID even if I have it set to not broadcast? Appreciate the help!

    • #21861
      SynJunkie
      Participant

      i know you would have but i’ll ask anyway. 

      Have you changed the default password, disabled wireless administration and upgraded the firmware?

      Syn

    • #21862
      KrisTeason
      Participant

      I guess I forgot to include those. I didn’t disable the wireless administration, but I do often upgrade the firmware and of course have changed the default http password, going to do that one now. Thanks. I also have a damn strong key, I’m not exactly worried about a user cracking my Encryption, just wondering if I’ve done about all I can do.

    • #21863
      SynJunkie
      Participant

      Put it this way.  You’ve done enough for someone like me to move on and find another wifi access point!

    • #21864
      KrisTeason
      Participant

      Sweet…and being a fan of your blog, you walking away from an access point is rare… I take it I’m fairly secure for now…thanks again for the input…still willing to accept others if you have any!

    • #21865
      eth3real
      Participant

      Hidden SSIDs can still be seen very easily with a tool like airodump-ng.
      Also make sure your password is somewhat randomly generated, people are trying dictionary attacks against WPA/WPA2 access points, I believe.

    • #21866
      KrisTeason
      Participant

      I’ll have to look more into that tool to see if I can get it to identify my SSID. As for dictionary attacks and for randomly-generating a pass phrase, that’s just about what I have right now, I also have my pass phrase starting with a Z, I figure if an attackers going to actually go and wait outside my house while running a dictionary attack against my key, he’d be waiting a long enough time that he’d eventually give up and go onto an easier target, or I’d notice his ass outside my house.

    • #21867
      eth3real
      Participant

      It’s a good tool, comes with BackTrack. I have a laptop sitting on my desk, (it has no hard drive or battery 🙁 ) it’s only use it to boot a BackTrack disc once in a while and check out wireless networks, etc. 😉

    • #21868
      SynJunkie
      Participant

      Thanks for the compliment on my blog, i appreciate it.

      one other thing, you could play around with the DHCP scope, can you limit the leases handed out and move the subnet to something other than 192.168.1.x

      This, along with your other measures makes an attackers job a little harder.

      Regards

      Syn

      P.S or you could be plain evil, by securing it slightly so you know whoever uses it has used it knowing that they have bypassed your security, and then put an old linux box between your AP and the internet and capture all the traffic.  Sorry, i shouldn’t think out loud, i’d better put that hat away again 😉

    • #21869
      KrisTeason
      Participant

      SynJunkie you grey hat! eth3real, sounds like you need to replace that bad boy.

    • #21870
      SynJunkie
      Participant

      oh, one last thing from me on this.  I believe that there are ways of disabling the SSID broadcast altogether (if your router supports it), but be aware that any clients connecting will likely broadcast it initially. So you might want to be aware of that point.

      Cheers

      Syn

    • #21871
      Kev
      Participant

      What I always find interesting about wireless hacking is the difference between theoretical hacks that might work in a lab in a perfect environment and hacks that work in the real world. There is a difference and  its important to learn the difference and that only happens with experience.  If you have implemented all you say you have, practically speaking your network is safe. At least for now, lol.  😉

    • #21872
      eth3real
      Participant

      I agree, you’re probably very safe from anyone that would randomly start trying to gain access to your wifi.

      My wifi router at home has pretty much the same level of security, and I don’t feel like I should be worried about it.
      I once had a guy in my neighborhood compliment me because mine was the only wifi network he couldn’t break into (he assumed it was me because I have the CEH sticker on the back of my car). It was rather amusing. 🙂

    • #21873
      vijay2
      Participant

      Its nice to see that you have gone through the trouble and securing your wifi network. But the question still remains are you Secure ? .. Well no1 can answer that.

      For me, the amount of effort I put in to secure something is directly proportional to the data I am trying to protect. SO the question is what are you trying to protect ?

      Again, as you said about the strong password, hiding SSID, MAC addr authentication all that can be easily broken if some1 does capture enough packets and work on that offline and then come back with all the info needed. The tools to achive that were mentioned by Josh in the last “Perfect Strom Webcast”.

      So again the question remains are you secure ? ummmm it all depends how bad someone wants your data, but defense in depth is a great way to go.

      Just me 1 cent

      VJ

    • #21874
      Michael J. Conway
      Participant

      Syn,
      Going along with your slightly secure with Linux inbetween, my neighborhood has some many open APs its not funny. So to that end I found an old 802.11b router that I’m thinking of setting as a honey pot jsut for grins to gather some traffic ;). Any advice on that?

    • #21875
      Kev
      Participant

      Please keep in mind there is the practical and there is the reality! There is a big deference!  If you never had a Cop  or FBI come in your life you are a cherry,LOL  !Just kidding , but keep that in mind! Think like that! 

    • #21876
      SynJunkie
      Participant

      sgt_mjc

      in answer to your question, there’s a few ways you could do this as i see it.  You could move the AP onto the LAN and arp poison between that and the gateway, however this does place your LAN at risk if not done properly.  An approach I like which worked well for me in the past was to set up an old box with PFSense on and 3 network interfaces.  I then put an AP onto the DMZ interface and used the PFSense box to capture all traffic that flowed from the DMZ to the outside interface.  This got me what I wanted and did not put my LAN at risk.

      I’m sure there are a load more ways to do this, but this worked for me.

      Hope that helps.

      Syn

    • #21877
      CadillacGolfer
      Participant

      Disabling SSID doesn’t gain you much.  When a client tries to connect it will pass the SSID in clear text to the AP.  However, that being said, at least it won’t show up for any nosey non techie neighbors to see.  MAC filtering, again from a strict security perspective gains you nothing.  If you can sniff the traffic between a client and the AP, the MAC addies are passed in clear text.  Though it will prevent someone from inadvertantly connecting to it.  Make sure your PSK is 20+ non dictionary word characters and you change the SSID name from its default to something unique.  If you leave the SSID the default linksys, or wlan, or netgear or simlar commonly used SSIDs and have a dictionary word for your PSK you would be susciptable to cowpatty table attack.  and use WPA2 instead of WPA if you can.  Some recent weaknesses have been discovered in WPA, but to be honest, I don’t know if the attack is practical yet or not or if there are any tools to do so. 

    • #21878
      KrisTeason
      Participant

      Well of course I changed the SSID name & use WPA2 I should of been a little more specific. my PSK has been randomly generated guess all I have to do now is make it over 20 characters instead of 17. vijay2 about you asking what am I trying to protect? If my network was like Kev’s I’d be trying to protect my 40 Gig porn stash! Joking…Just trying to remain fairly secure here your guys’ responses have helped out alot!

    • #21879
      Ne0
      Participant

      hi KrisTeason!
      actually looking at how u have configured its pretty sure that you r normally secured, Hidden SSID not of any concern as Hidden SSID’s can be bruteforced using MDK3, which is one of the best feature is to bruteforcing hideen ESSID’s.it works in 2 way one we can try with every possible combination,suitable for short ESSID’s or we can try using default/custom created ESSID list , using MDK3 within few seconds you can get the Hidden ESSID’s
      posting u a post from remote exploit where the Eg., is
      Tested using Linksys WUSB54GC adapter and Linksys WRT54G Router.

      Commands:

      bt~#airodump-ng rausb0

      open one more window

      #if command supplied without target -t parameter.it will bruteforce for all #hidden ESSID’s in range.

      bt ~ # mdk3 rausb0 p -f SSID.txt -t 00:21:29:68:16:C2

      SSID Wordlist Mode activated!

      Waiting for beacon frame from target…
      Sniffer thread started

      SSID is hidden. SSID Length is: 11.
      Trying SSID: linksys
      Trying SSID: ascend
      Trying SSID:
      Trying SSID: mynetwork
      Trying SSID: fatport
      Trying SSID: 2WIRE975
      Trying SSID: 2WIRE186
      Trying SSID: 2WIRE707
      Trying SSID: 2WIRE774
      Trying SSID: 2WIRE436
      Packets sent: 1143 – Speed: 120 packets/sec
      Got response from 00:21:29:68:16:C2, SSID: “thunderbolt”

      Here you got hidden ESSID in less then 10 seconds.

      and yeah its good to keep ur firmware upgraded, and check there no port forwardings

      regards
      Ne0

    • #21880
      KrisTeason
      Participant

      I’ve got to look into that mdk3 tool & code me up a quick tool to generate 2WIRE + 3NumberHere SSIDs. You guys want the generated 2WIRE SSID .txt list when I’m done?

    • #21881
      Vertigo
      Participant

      Easy way to get out SSID from AP:
      1. switch card in monitor(promisc) mode – iwconfig wlan0 mode monitor
      or
      airmon-ng stop ath0
      airmon-ng start wifi0
      2. run to airodump – airodump-ng -w dump -c 6 wlan0
      3. wait to client connect AP  and deauthenticate STA – aireplay-ng -0 10 -a BSSID_MAC -h STA_MAC wlan0
      4. Look at airodump-ng console for SSID

      Yes, randomly generated 20 characters long PSK passphrase for WPA-PSK authentication and TKIP encryption with rekeying interval less than 1200 sec’s  or WPA2-PSK authentication with CCMP(AES) encryption without rekeying restrinctions, is good enough. 😀
      If You woul like to be paranoidal, You could use 802.1X port based access control with Radius  server ( for example FreeRADIUS 2.0.X) and EAP-TTLS/PEAP with MSCHAPV2/MSCHAP/CHAP/MD5/PAP tunneled client authentication. It run fine…airodump-ng shows MGT  in authentication column.

      Good Luck!

      =================
      GCIG, Security+

    • #21882
      Ne0
      Participant

      me working on BT4 its tooo cool tools and updated version of older tools hang on for the full versoin of it

    • #21883
      bigthugs0
      Participant

      hey all … im new to this ..

      can anyone tell me how to hack wireless network .. with WPA2 encryption and cipher CCMP and Auth: MGT …. that has usernames and passwords for accounts ?

    • #21884
      UNIX
      Participant

      @vijay2 wrote:

      For me, the amount of effort I put in to secure something is directly proportional to the data I am trying to protect. SO the question is what are you trying to protect ?

      Is that really so? I don’t agree with this fully. Although mostly everyone from us has some data which are private (nothing in particular, maybe family photos etc.) I don’t like the idea that someone uses my network for whatever without my knowledge and admission to do so.
      People who think that nothing will happen to them, e.g. by thinking nobody would hack their network or that they in particular will be the victim of such an attack, are somehow ignorant (I don’t mean you with this). I have often heard people saying that they will surely not become the target of such an attack, but the truth is, that most (non professional) attacks are launched randomly and everybody could be by accident become a target.
      Depending on your country it also may become a legal problem when someone is using your network – but not for the attacker but for the victim. In Europe several cases occured where someone broke into someone elses wireless network, downloaded some porns or did some illegal action, and afterwards, the person owning the network was sentenced guilty because it was his/ her computer/ network/ infrastructe which were used and his/ her fault, because they did not secure it properly. If they where just sloppy or lacking the technical knowledge doesn’t matter.

      So I think it is a good idea for securing a network as good as possible, also if there is no ‘danger’ (I am not considering things like putting up a honeypot or similar as the average person may not be interested in this).

    • #21885
      Otter
      Participant

      @bigthugs0 wrote:

      hey all … im new to this ..

      can anyone tell me how to hack wireless network .. with WPA2 encryption and cipher CCMP and Auth: MGT …. that has usernames and passwords for accounts ?

      I’ll save you some time:  ain’t likely to happen.  That’s best practices wireless config you’ve found right there.  🙂  If it’s Cisco infrastructure, maybe you’ll find some other BSSID’s from the same physical access point  that are configured more loosely and attempt to join those if you can find clients and or ESSID’s that are associated with those. 

      Alternative approaches:  Callback trojan burned onto an autorun configured CD or U3 enabled usb key labeled “private photos” and leave it somewhere the owner of the access point or anyone the lan will pick it up and put it into their computer.

      Or if you wanna still stay in the wireless realm, go after the clients. See if the client or network involved has some of those lovely braindead Windows XP machines that bleat for their remembered access points probing out to them hoping they respond.    airbase-ng  can then be used to set up a trojan access point with an ESSID matching those for which those clients are probing,  setup a dhcp server on teh same box serving addresses to the tun interface airbase-ng creates for ya,  the “sheep” client box associates, you cheerfully offer it a dhcp address, and then you can attempt to see if it’s vulnerable to anything over the network.  Or, if you have internet conenctivity you can MITM them with the full karmetasploit ball of wax and capture credentials as they try to go out to the net and instead find your rogue metasploit replicas of popular websites, and they’ll give up some credentials in the process, more than likely. 

      Good luck!  And again, this presumes you’re going after a network you have written legal permission to attack. 

Viewing 25 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?